Fergie's Tech Blog

Saturday, April 18, 2009

Chinese Spies May Have Slipped Chips into U.S. Planes

The Chinese cyber spies have penetrated so deep into the US system — ranging from its secure defence network, banking system, electricity grid to putting spy chips into its defence planes — that it can cause serious damage to the US any time, a top US official on counter-intelligence has said.

“Chinese penetrations of unclassified DoD networks have also been widely reported. Those are more sophisticated, though hardly state of the art,” said National Counterintelligence Executive, Joel Brenner, at the Austin University Texas last week, according to a transcript made available on Wednesday.

Listing out some of the examples of Chinese cyber spy penetration, he said: “We’re also seeing counterfeit routers and chips, and some of those chips have made their way into US military fighter aircraft.. You don’t sneak counterfeit chips into another nation’s aircraft to steal data. When it’s done intentionally, it’s done to degrade systems, or to have the ability to do so at a time of one’s choosing.”

Referring to the Chinese networks penetrating the cyber grids, he said: “Do I worry about those grids, and about air traffic control systems, water supply systems, and so on? You bet I do. America’s networks are being mapped. There has also been experience of both Chinese and criminal network operations in the networks of some of the banks”.

Friday, April 17, 2009

Breaking: Obama Appoints Aneesh Chopra as CTO

President Barack Obama will announce this morning (Saturday, Apr. 18, 2009) that Aneesh Chopra, Virginia’s secretary of technology, will join his administration as the White House chief technology officer.

Obama, as part of his weekly address , also plans to announce that he will appoint Jeffrey Zients to the position of deputy director for Management of the Office of Management and Budget, with additional duties as the federal government's first chief performance officer. Zients is the founder and managing partner of Portfolio Logic, an investment firm focused primarily on business and healthcare service companies. Zients previously served as chief executive officer and chairman of the Advisory Board Company in Washington, D.C.

Chopra leads Virginia's strategy to leverage technology in government reform, to promote Virginia’s innovation agenda, and to foster technology-related economic development, the White House said. Previously, he worked with Zients as managing director with the Advisory Board Company, leading the firm’s Financial Leadership Council and the Working Council for Health Plan Executives.

Classic xkcd: New Car

More FBI Hacking: Feds Crack Wi-Fi to Gather Evidence

Buried in the 150 pages of CIPAV spyware-related documents released by the FBI Thursday is a tantalizing nugget that indicates the bureau's technology experts have more than one way to hack a suspect.

In early 2007, FBI agents with one of the bureau's International Terrorism Operations Sections sought hacking help from the FBI's geek squads. The agents were working a case in Pittsburgh, which is not described in the documents, and wanted to know "if [a] remote computer attack can be conducted against [the] target."

The FBI's Cryptographic and Electronic Analysis Unit, CEAU, responded with two options. One of them was redacted from the released document as a sensitive investigative technique. The other is described this way: "CEAU advised Pittsburgh that they could assist with a wireless hack to obtain a file tree, but not the hard drive content."

Computer Gremlins Knock LAPD Crime-Mapping Offline

One of the cornerstones of Chief William J. Bratton's tenure at the Los Angeles Police Department has been Compstat, the computerized crime-tracking program that allows officials to quickly shift resources to deal with problems arising across the city.

But since Monday, a computer crash has rendered the crime-mapping system inoperable, resulting in a breakdown of the department's ability to analyze crime data. Officials familiar with the system, known as computer analysis mapping or CAM, said it was the longest breakdown since the system was introduced in 2003.

LAPD spokesman Jason Lee said department techs would work through the weekend to fix the problem as quickly as possible. The breakdown is the latest in a series of technical issues that have beset LAPD computer servers, he said.

"We have had intermittent glitches the last two months, but the system was operational," Lee said. "This time there was a full shutdown."

Microsoft Talks Data Tools for Law Enforcement

Once again, software is fighting crime. Microsoft unveiled a suite of tools and initiatives for law-enforcement groups "specifically designed to improve public security and safety," the company said.

Law enforcement agencies, like businesses, face a mountain of data that they are not adequately analyzing. Microsoft's Citizen Safety Architecture resembles IBM's BAO announcement in that both comprise a tool set and method to analyze extremely large data sets and to collate data from many sources.

It's also the latest example of law enforcement officials arming themselves with better technology to help fight crime. The FBI, for instance, said that new database and data-sharing efforts have resulted in solving a number of difficult highway serial killings.

Gathering that data is key. That's why Microsoft this week said it is giving a free tool to INTERPOL called the Computer Online Forensic Evidence Extractor (COFEE), an application that "uses common digital forensics tool to help officers at the scene of the crime."

Researcher Offers Tool to Hide Malware in .NET

A computer security researcher has released an upgraded tool that can simplify the placement of difficult-to-detect malicious software in Microsoft's .Net framework on Windows computers.

The tool, called .Net-Sploit 1.0, allows for modification of .Net, a piece of software installed on most Windows machines that allows the computers to execute certain types of applications.

Microsoft makes a suite of developer tools for programmers to write applications compatible with the framework. It offers developers the advantage of writing programs in several different high-level languages that will all run on a PC.

.Net-Sploit allows a hacker to modify the .Net framework on targeted machines, inserting rootkit-style malicious software in a place untouched by security software and where few security people would think to look, said Erez Metula, the software security engineer for 2BSecure who wrote the tool.

"You'll be amazed at how easy it is to devise an attack," Metula said during a presentation at the Black Hat security conference in Amsterdam on Friday.

Twitter Teen Hacker Hired by Web App Developer

An Oregon-based Web application developer today confirmed he has hired the teenager who admitted attacking Twitter with several different worms last weekend.

Travis Rowland, of Hammond Ore. said that he had offered a job to Michael "Mikeyy" Mooney, a 17-year-old who said last week he had written at least two of the worms that struck Twitter starting on April 11.

In a telephone interview on Friday, Rowland, the CEO of exqSoft Solutions, described his company as doing "custom Web application development, primarily geared toward businesses."

Mooney came to his attention because of the Twitter worms, Rowland acknowledged. "I contacted him and saw his Web site, and thought it was interesting," said Rowland. "Then I talked to him and found out he did it all by hand, so I asked him if he wanted to work as a programmer."

Rowland said that Mooney would also be involved doing "security analysis for us, to make sure our applications are as secure as they can be."

Thursday, April 16, 2009

CIPAV: FBI Spyware Has Been Snaring Extortionists and Hackers for Years

A sophisticated FBI-produced spyware program has played a crucial behind-the-scenes role in federal investigations into extortion plots, terrorist threats and hacker attacks in cases stretching back at least seven years, newly declassified documents show.

As first reported by Wired.com, the software, called a "computer and internet protocol address verifier," or CIPAV, is designed to infiltrate a target's computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia. The FBI's use of the spyware surfaced in 2007 when the bureau used it to track e-mailed bomb threats against a Washington state high school to a 15-year-old student.

But the documents released Thursday under the Freedom of Information Act show the FBI has quietly obtained court authorization to deploy the CIPAV in a wide variety of cases, ranging from major hacker investigations, to someone posing as an FBI agent online. Shortly after its launch, the program became so popular with federal law enforcement that Justice Department lawyers in Washington warned that overuse of the novel technique could result in its electronic evidence being thrown out of court in some cases.

"While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit," reads a formerly-classified March 7, 2002 memo from the Justice Department's Computer Crime and Intellectual Property Section.

Terry Childs: State of the case

It's been 10 months since Terry Childs was arrested and jailed for refusing to divulge the administrative log-ins to the San Francisco FiberWAN. Recently, the case has fallen off the radar of the mainstream media, and there really hasn't been much to tell in the past few months. Childs is still in jail, he has not yet plead in the case, and there has been no court date set for a trial.

There have been several motions and other legal instruments filed since December, but a new judge has been assigned to the case, and the hearings on those motions have been delayed for over six weeks earlier this year. These postponements were introduced by the judge, who stated that he needed the time to properly understand the highly technical case and read through the more than 1,200 pages of transcripts. It does seem that the new judge is taking an interest in the case and has a desire to understand the technical issues present.

Role of Bush NSA Plan Under Review

The Bush administration planned last year to direct the National Security Agency, which specializes in spying electronically on foreign adversaries, to take the techniques it has employed to defend military computer networks and use them to protect U.S. government civilian networks, according to current and former officials.

When the effort did not proceed as quickly as hoped, NSA employees on loan to the Department of Homeland Security sought to test sophisticated software that would send sensor technologies into the Internet to detect malicious code entering civilian government networks, the officials said.

The goal: "Stop it before it gets there," one former official said. He and other sources spoke on the condition of anonymity because the methods are classified.

The Obama administration is looking at the Bush plan as part of a 60-day review of the government's cybersecurity strategies and programs expected to be completed today. Congressional committees had concerns about civil liberties, cost and complexity, officials said. DHS still plans to conduct the sensor test, part of a program called Einstein 3, in a manner that the department says will respect privacy and civil liberties laws and rules, and has briefed Congress on the proposal, spokeswoman Amy Kudwa said.

Hackers Test Limits of Credit Card Security Standards

The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry's security standards for safeguarding customer data.

All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access.

Yet, some of the most notable data breach incidents last year targeted companies that had recently been certified as compliant with those standards, raising the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification.

In a recent hearing on PCI standards at a House Homeland Security Committee panel, experts from the retail sector charged that the entire PCI scheme is only a tool to shift risk off the banks and credit card companies' balance sheets.

DoJ: U.S. Government Exceeded Surveillance Authority

The U.S. National Security Agency (NSA) exceeded its surveillance authority of U.S. residents under a far-reaching telephone and Internet communications wiretap program, the U.S. Department of Justice said Thursday.

During routine oversight of the NSA surveillance program, DOJ and NSA officials "detected issues that raised concerns," the DOJ said in a statement.

"Once these issues were identified, the Justice Department ... took comprehensive steps to correct the situation and bring the program into compliance," the statement added. "The Justice Department takes its national security oversight responsibilities seriously and works diligently to ensure that surveillance under established legal authorities complies with the nation's laws, regulations and policies, including those designed to protect privacy interests and civil liberties."

The DOJ statement came after a New York Times report Wednesday saying the NSA in recent months has exceeded congressional limits on the surveillance program. The Times report, quoting unnamed government officials, said the spying was "significant and systemic" in its over-collection of U.S. residents' phone calls and e-mail messages.

NSA's Intercepts Exceed Limits Set by Congress

The National Security Agency intercepted private e-mail messages and phone calls of Americans in recent months on a scale that went beyond the broad legal limits established by Congress last year, government officials said in recent interviews.

Several intelligence officials, as well as lawyers briefed about the matter, said the N.S.A. had been engaged in “overcollection” of domestic communications of Americans. They described the practice as significant and systemic, although one official said it was believed to have been unintentional.

The legal and operational problems surrounding the N.S.A.’s surveillance activities have come under scrutiny from the Obama administration, Congressional intelligence committees, and a secret national security court, said the intelligence officials, who were speaking only on the condition of anonymity because N.S.A. activities are classified. A series of classified government briefings have been held in recent weeks in response to a brewing controversy that some officials worry could damage the credibility of legitimate intelligence-gathering efforts.

The Justice Department, in response to inquiries from The New York Times, acknowledged in a statement on Wednesday night that there had been problems with the N.S.A. surveillance operation, but said they had been resolved.

Cyber Criminals Create Botnet Using Mac Computers

A piece of malicious software unwittingly shared over a peer-to-peer network in January was the key tool in what security researchers are saying was the first known attempt to create a botnet of Mac computers.

Researchers at Symantec say the Trojan, called OSX.Iservice, hid itself in pirated versions of the Apple application iWork '09 and the Mac version of Adobe Photoshop CS4 that were shared on a popular peer-to-peer bittorrent network.

Once downloaded, the applications themselves worked normally, but the Trojan opens a "back door" on the compromised computer that allows it to begin contacting other hosts in its peer-to-peer network for commands.

Researchers Mario Barcena and Alfredo Pesoli of Symantec Ireland, writing in the April 2009 issue of the Virus Bulletin, say the network of infected computers attempted to initiate a denial of service attack on a website in January.

Amazon Rejects Phorm's Behavioral Advertising

Following news on Thursday that the European Commission has begun legal proceedings against the United Kingdom for allowing Phorm to deploy behavioral advertising technology that violates European Union privacy rules, Amazon said it would not allow Phorm to use its Webwise behavior tracking service on any of its Web domains.

"We have contacted Webwise requesting that we opt out for all of our domains," said an Amazon spokesperson in an e-mail.

Asked to supply a reason for the decision, the company's spokesperson did not reply.

PIN Crackers Nab Holy Grail of Bank Card Security

Hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards, says an investigator. The attacks involve both unencrypted PINs and encrypted PINs that attackers have found a way to crack, according to the investigator behind a new report looking at the data breaches.

The attacks, says Bryan Sartin, director of investigative response for Verizon Business, are behind some of the millions of dollars in fraudulent ATM withdrawals that have occurred around the United States.

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report [.pdf] Wednesday that examines trends in security breaches. "What we see now is people going right to the source ... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."

The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side.

But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.

Chinese National Arrested For Source Code Theft

A Chinese citizen on a work visa in the United States was arrested by the FBI last week for allegedly revealing proprietary software code owned by his unidentified U.S. employer to a Chinese government agency.

Yan Zhu, 31, of Lodi, N.J. -- also known as "Westerly Zhu" -- was arrested on charges of theft of trade secrets, conspiracy, wire fraud, and theft of honest services fraud.

"Crimes of this nature do not get much public attention," FBI Special Agent in Charge Weysan Dun said in a statement. "No one is shot, there is no crime scene, no prominent public figures are involved. However, this is an act of economic violence -- a paper crime that robs the victim company of the resources they expended to develop a product."

Dun said that white-collar crimes of this sort are clearly dangerous to America's economic infrastructure. "If American dollars are spent on research and development of a product, and then that product or research is taken without any compensation to American companies, the value of American companies and American products is significantly reduced in the global marketplace," he said.

David Schafer, the assistant federal public defender representing Zhu, declined to comment or to identify Zhu's former U.S. employer.

Australia: Bottle Domains Dumped by auDA Over Security Breach

The Australian domain name administrator has ruled out a review of its registrar agreements in the wake of its decision to terminate Bottle Domains accreditation today over a security breach.

auDA took the action after it emerged Bottle may have hidden the hacking of its database for almost two years.

A spokesperson for Bottle was "not available" for comment.

The termination has left Bottle resellers such as Melbourne-based Cove "between a rock and a hard place" - with Cove, Bottle's largest reseller, now making a play to become a registrar in its own right.

Bottle, which counts some 11,000 registrants as customers, is the subject of an ongoing investigation by the Australian Federal Police after it was revealed in February that usernames and passwords had been compromised in a ‘security breach'.

It has now emerged, however, that the February ‘breach' may not have been the first.

Conficker Group Says Worm 4.6 Million Strong

Security experts say that the Conficker worm has infected an awful lot of computers, making it the largest "botnet" of hacked computers on the planet. The thing they can't seem to agree on, however, is exactly how many people have been hit.

The group of researchers that has been most closely tracking -- and battling -- the worm has now released its own estimate of Conficker's size. According to data compiled by the Conficker Working Group, Conficker has been spotted on just under 4.6 million unique IP addresses. Its earlier A and B variants account for the lion's share of that -- 3.4 million IP addresses -- with the more-recent C variant spotted at 1.2 million addresses.

The countries measuring the largest number of infections for all variants are China, Brazil ,and Russia.

Conficker has been infecting Windows machines since October, but in recent weeks, it has been getting a lot of attention as a newer version of the worm, Conficker.C, has updated the way it looks for instructions, making it much harder to stop.

SCADA Watch: Foolish Logic Undermines Electrical Grid Security

About a year ago, I blogged about attacking power grid control systems as part of a penetration test. At the time, a lot of people claimed it was complete nonsense. I was even told by a Washington Post reporter that the Nuclear Regulatory Commission was offering detailed presentations to discredit my comments. It was actually quite entertaining that the government would waste so much time on me. However, while they were wasting time to discredit me, they were leaving our power grid wide open.

In May 2008, the GAO released a report [.pdf] and testified to Congress about how the Tennessee Valley Authority, a Southern power company, intermingles its control systems with its business systems on the same network, which was, not so ironically, how I described the vulnerabilities exploited by my penetration test. There was also a widely noted statement by a CIA analyst that details the same problem of foreign governments being extorted by computer hackers who compromised their power grids.

The Wall Street Journal recently reported that foreign intelligence agencies have infiltrated the U.S. power grid and have planted malware to selectively sabotage the grid at a time of their choosing. Given the well documented weaknesses in the power grid, this should not be surprising.

Most people wonder why the power grid is so insecure, and the answer is simple: Well paid lobbyists and naïve Congresspeople. For more than a decade, the U.S. government has relied on the power companies to protect themselves, despite no real improvement over the years. Yet the Department of Homeland Security (DHS) continues to call for "voluntary" efforts.

The cliché definition of insanity is doing the same thing again and again, and expecting different results. The DHS is clearly insane.

Microsoft Fixes Excel, Carpet-Bombing Security Flaws

Microsoft has fixed critical flaws in its Windows, Office, and Internet Explorer software in the company's largest set of security patches this year.

Released Tuesday, the updates fix a number of well-known problems in the company's software, including vulnerabilities in Excel and the WordPad text converter that have been exploited by attackers in a small number of online attacks.

A few other known bugs also were fixed Tuesday, including some issues in Windows and Internet Explorer that could be used to pull off a so-called carpet-bombing attack, and Windows flaws that could give attackers extra privileges on a Windows machine.

All told, Microsoft released eight software updates, fixing dozens of bugs in its products. Five of the updates are rated critical by Microsoft, meaning they fix flaws that could be exploited by attackers to run unauthorized software on a computer.

Pharmacy Hackers Busted in Romania

Romanian authorities said they have arrested five people accused of illegally accessing computer systems belonging to U.S. pharmaceutical companies.

The Central European nation's Directorate for Fighting Electronic Crime said Monday in a statement that the suspects infiltrated a number of computers to steal credit card data that resulted in losses of about $800,000.

The accused hackers, ages 20 to 32, installed keylogger software onto the computers to steal card data at point-of-sales systems, said Romanian authorities, who worked with the FBI on the investigation.

SCADA Watch: China, Russia Top Sources of Power Grid Probes

Last week, blogs and the mainstream press alike were abuzz with reports that Chinese and Russian hackers had penetrated the U.S. power grid and left behind secret back doors. The original story, a piece in the Wall Street Journal, was light on details, and many readers have asked me if I uncovered additional nuggets of knowledge about the existence of these back doors. I have not.

But I have discovered some interesting data published recently, which seems to support the notion that China and Russia are quite interested in locating digital control systems connected to our nation's power grid and other complex critical infrastructures.

The data comes from a white paper [.pdf] released late last month by Team Cymru, a group of researchers who try to discover who is behind Internet crime and why. That document sought to provide empirical evidence to show which nations were most active in probing our networks for the presence of highly specialized systems designed to control large, complex systems.

These so-called "supervisory control and data acquisition" (SCADA) systems help engineers monitor, communicate with, and control equipment used for energy generation and distribution (SCADA systems also help manage other complex systems, such as water networks, transportation switching systems, etc.).

The framework uses the victim as a cover for an attack. "It's basically an agentless botnet...there's no trace of our code on their system," says Flick, who adds such an attack would likely have legal ramifications. "It's a decent way of hiding your tracks."

The researchers demonstrated their proof of concept [.pdf], but did not release any code. They acknowledged that XSS and anonymization make an unlikely couple. "Putting anonymity and cross-site scripting together is unusual," Flick said during the pair's demo.

In a nutshell, the attack turns an unsuspecting user's browser into an anonymous browsing tool for the attacker, who then can silently abuse the browser to access Web content he doesn't want traced to him, such as porn or a site for espionage or theft purposes.

Sunday, April 12, 2009

Conficker Worm Hits University of Utah Computers

University of Utah officials say a computer virus has infected more than 700 campus computers, including those at the school's three hospitals.

University health sciences spokesman Chris Nelson said the outbreak of the Conficker worm, which can slow computers and steal personal information, was first detected Thursday. By Friday, the virus had infiltrated computers at the hospitals, medical school, and colleges of nursing, pharmacy and health.

Nelson says patient data and medical records have not been compromised.

Information technology staff shut of Internet access for up to six hours at some campus locations Friday so they could isolate the virus. They were expected to work through the weekend to eradicate it from the system.